CVE-2025-53813

MEDIUM

Nozbe <2025.11 - Code Injection

Title source: llm

Description

The configuration of Nozbe on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Nozbe TCC (Transparency, Consent, and Control) permissions. Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in version 2025.11 of Nozbe.

References (2)

[Various Sources] https://cert.pl/en/posts/2025/08/tcc-bypass/

[Various Sources] https://nozbe.com/

Scores

CVSS v4 4.8

EPSS 0.0002

EPSS Percentile 4.3%

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-276

Status published

Products (1)

Nozbe/Nozbe < 2025.11

Published Aug 26, 2025

Tracked Since Feb 18, 2026